FCSS_SASE_AD-25 FCSS - FortiSASE 25 Administrator Questions and Answers

SD-WAN allows efficient and secure routing of traffic from users to corporate applications, while ZTNA enables secure access control and verification for users connecting to internal resources, both of which are essential for Secure Private Access (SPA) in FortiSASE.

Deploying secure private access with SD-WAN enables the hub FortiGate to perform ZTNA posture checks, and supports both TCP and UDP applications over the tunnel, allowing for flexible and secure access to internal resources.

FortiSASE inline-CASB operates in the traffic path to provide real-time visibility and control over data in motion as it is transmitted to and from cloud applications.

In FortiSASE, the recommended method to upgrade FortiClient is to configure an endpoint upgrade rule and assign it to specific endpoint groups. This ensures controlled and automated upgrades across managed devices.

FortiSASE extends secure internet access to users regardless of their location and streamlines the management and provisioning of security policies and services for microbranch offices with unmanaged devices.

FortiSASE releases network lockdown when the endpoint re-establishes the tunnel connection or when it is verified as compliant through ZTNA tag evaluation, ensuring it meets security posture requirements.

The FortiSASE software installations page shows which endpoints have specific software installed, allowing administrators to monitor potentially unwanted applications across the network.

When central management is enabled, security profile group objects are managed exclusively through FortiManager, making them read-only on the FortiSASE portal to ensure centralized policy control.

To enforce device posture checks and ensure that TCP traffic flows through FortiGate, the FortiGate must act as a ZTNA access proxy and host the ZTNA servers and policies. This setup allows posture validation via FortiSASE while routing traffic securely to protected servers through FortiGate.

The bookmark portal is the recommended method for providing contractors access to private web applications through FortiSASE Secure Private Access, as it offers a user-friendly, secure, and controlled access mechanism without requiring full network connectivity.

To exclude specific internet traffic (such as Google Maps) from being tunneled through FortiSASE and instead direct it out the local endpoint interface, you must configure it as a steering bypass destination in the FortiClient endpoint profile. This ensures traffic matching the URL bypasses the FortiSASE tunnel.

The “Automatically patch vulnerabilities” option is disabled in the endpoint profile. Additionally, the Vulnerability Dashboard shows the patching status as “Manual patching required.” This means an administrator must manually initiate the patching process remotely using FortiSASE.